I am from Germany. I have interests in security-related subjects and follow pages here on a variety of networking and encryption topics. The distro I have used most is Debian, interrupted by stints to Ubuntu. I have been using Arch since Mid 2011. Feel free to leave comments on the talk page here or send me an email via the wiki interface.

this may be overcome by adding the {{ic|shutdown}} hook to [[mkinitcpio]] and regenerating the kernel image. Note this is a recommended hook for a separate {{ic|/usr}}or an encrypted partition.}}

−

[quote=falconindy][quote=eomanis]There is no hint as to how to specify multiple files in [url=https://wiki.archlinux.org/index.php/Mkinitcpio#BINARIES_and_FILES]Mkinitcpio: BINARIES and FILES[/url]. Maybe this is supposed to be declared as a bash array or something?[/quote]

+

== Work-in-progress page ==

−

For hysterical raisins, it's a simple string, not an array. Multiple items are space delimited, as documented by mkinitcpio.conf(5).[/quote]

+

Mind you: I was not using Arch yet when most of the following section was written. It is saved here because we re-worked the original considerably. This will be deleted in Sept 13.

+

+

== Encrypting a LVM setup ==

+

{{Merge|Encrypted_LVM |Device mapper stacking is explained there building on the LVM wiki with a howto for both approaches below.}}

+

+

+

It's really easy to use encryption with [[LVM]]. If you do not know how to set up LVM, then read [[Installing with Software RAID or LVM]].

+

+

'''LVM on LUKS'''

+

+

The easiest and best method is to set up LVM on top of the encrypted partition instead of the other way round. This link here is easy to follow and explains everything: [http://www.pindarsign.de/webblog/?p=767 Arch Linux: LVM on top of an encrypted partition]

+

+

The most important thing in setting LVM on '''top''' of encryption is to [[#Configure initramfs|configure the initramfs]] for running '''both''' the {{ic|encrypt}} hook '''and''' the {{ic|lvm2}} hook (and those two before the {{ic|filesystems}} hook). In the past, it was necessary to ensure the correct ordering of these hooks in {{ic|/etc/mkinitcpio.conf}} but the order no longer matters with the current implementation of {{ic|lvm2}}.

+

+

'''LUKS on LVM'''

+

+

To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means, in short, that you have to set up LVM first. Then follow this guide, but replace all occurrences of {{ic|/dev/sdXy}} in the guide with its LVM counterpart. (E.g.: {{ic|/dev/sda5}} -> {{ic|/dev/<volume group name>/home}}). This is used to setup partitions (inside the LVM) which can be unlocked separately or a mixture of encrypted and non-encrypted partitions.

+

+

For encrypted partitions inside an LVM, the LVM-hook has to run first, before the respective encrypted logical volumes can be unlocked. So for this add the {{ic|encrypt}} hook in {{ic|/etc/mkinitcpio.conf}} '''after''' the {{ic|lvm2}} hook, if you chose to set up encrypted partitions on '''top''' of LVM.

+

+

=== LVM with Arch Linux Installer (>2009.08 <2012.07.15) ===

+

{{Out of date|As of the [https://www.archlinux.org/news/install-media-20120715-released/ 2012.07.15 installation media release] the AIF (Arch Installation Framework) and grub-legacy are dropped. These outdated instructions still give the backbones to understanding what to do. If you plan to do a fresh install, also check the howto [[Encrypted_LVM]].}}

+

+

In between Arch Linux installation media release 2009.08 and 2012.07.15 LVM and dm_crypt had been supported by the installer out of the box.

+

This made it very easy to configure a system for [[LVM]] on dm-crypt or vice versa.

+

Actually the configuration is done exactly as without LVM: see the [[#Arch Linux Installer (>2009.08 <2012.07.15)|corresponding]] section above. It differs only in two aspects.

+

+

==== The partition and filesystem choice ====

+

Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by [[LVM]].

+

+

For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:

* In {{ic|/etc/mkinitcpio.conf}} add the {{ic|encrypt}} hook '''before''' the {{ic|lvm2}} hook in the {{ic|HOOKS}} array, if you set up LVM on top of the encrypted partition.

+

+

That is it for the LVM & dm_crypt specific part. The rest is done as usual.

+

+

{{Accuracy|The {{ic|lvm2}} hook activates the (encrypted) root volume group long before sysvinit (or systemd) can run from there. Letting sysvinit later run a second LVM activation in addition serves no purpose. Read [[LVM#Configure system]]. However this error is duplicated within the [[#Encrypting a LVM setup]] section.}}

+

* In {{ic|/etc/rc.conf}} set {{ic|USELVM}} to {{ic|"yes"}}.

+

+

=== Applying this to a non-root partition ===

+

You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in {{ic|/lib/initcpio/hooks/encrypt}} (the first one to your {{ic|/dev/sd*}} partition, the second to the name you want to attribute). That should be enough.

+

+

The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).

+

+

Of course, if the {{Pkg|cryptsetup}} package gets upgraded, you will have to change this script again. However, this solution is to be preferred over hacking {{ic|/etc/rc.sysinit}} or similar files. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.

+

+

If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like

+

kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5

+

+

If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). [[GRUB]] can handle multiple array definitions just fine:

(saved here or intermediate reference upon rm'ing the section in the LUKS wiki

+

+

{{Deletion|}}

+

{{Out of date|AIF (Arch Installation Framework; referenced below also as {{ic|/arch/setup}}) does not exist anymore, GRUB Legacy is not available anymore}}

+

==== Prepare hard drive for AIF ====

+

+

Now that {{ic|/dev/mapper/root}} and {{ic|/dev/mapper/home}} are in place, we can enter the regular Arch setup script to install the system into the encrypted volumes.

+

# /arch/setup

+

Skip the Partitioning and Auto-Prepare steps and go straight to manual configuration.

+

Instead of choosing the hardware devices ({{ic|/dev/sdaX}}) directly, you have to select the mapper devices created above.

+

Choose {{ic|/dev/mapper/root}} for your root and {{ic|/dev/mapper/home}} as {{ic|/home}} partition respectively and format them with any filesystem you like.

+

The same is valid for a swap partition which is set up like the {{ic|/home}} partition. Make sure you mount {{ic|/dev/sda1}} as the {{ic|/boot}} partition, or else the installer will not properly set up the bootloader.

+

+

==== Select and Install packages ====

+

Select and install the packages as usual: the base package contains all required programs.

+

+

==== Exit Install ====

+

Now that the install is finished the only thing left to do is add entries to the {{ic|/etc/crypttab}} file so you do not have to enter the passphrase for all encrypted partitions. This works only for non-root partitions e.g. {{ic|/home}}, swap, etc.

+

# vi /mnt/etc/crypttab

+

+

Add one of the following for the {{ic|/home}} partition.

+

{{Note|Using a passphrase to decrypt LUKS partitions automatically from {{ic|/etc/crypttab}} is deprecated: see http://www.mail-archive.com/arch-projects@archlinux.org/msg02115.html}}

+

home /dev/sda5 /etc/mypassword1

+

+

You can also use a keyfile instead of a passphrase. If not already done, create a keyfile and add the key to the corresponding LUKS partition as described [[#Adding_Additional_Passphrases_or_Keyfiles_to_a_LUKS_Encrypted_Partition|above]].

+

Then add the following information to the {{ic|/etc/crypttab}} file for automounting:

+

home /dev/sda5 /path/of/your/keyfile

+

+

If you used a USB device to store your keyfile, you should have something like this:

+

home /dev/sda5 /dev/sd*1/keyfile

+

+

Or if the keyfile was stored in the MBR, it should be like this:

+

home /dev/sda5 /dev/sd*:2048:2048

+

+

{{Box BLUE|Note:|When reading the keyfile from the MBR it should be {{ic|/dev/sdb}} not {{ic|/dev/sdb1}} but if the key is in the filesystem it should still be {{ic|/dev/sdb1}}.}}

+

+

After rebooting you should now be presented with the text

+

A password is required to access the root filesystem:

+

followed by a prompt for a LUKS password. Type it in and everything should boot.

+

Once you have logged in, have a look at your mounted partitions by typing {{ic|mount}}. You should have {{ic|/dev/mapper/root}} mounted at {{ic|/}} and, if you set up a separate encrypted home partition, {{ic|/dev/mapper/home}} mounted at {{ic|/home}}. If you set up encrypted swap, {{ic|swapon -s}} should have {{ic|/dev/mapper/swap}} listed as your swap partition.

+

+

{{Note|Eventually the text prompting for the password is mixed up with other boot messages. So the boot process may seem frozen at first glance, but it is not, simply enter your password and press {{keypress|Enter}}.}}

+

+

==== GRUB Legacy ====

+

{{Out of date|Like AIF in this section, GRUB Legacy and LILO are dropped. }}

+

'''[[GRUB Legacy]]:''' You have to make some small changes to the entries generated by the installer by replacing {{ic|/dev/mapper/root}} with {{ic|/dev/sda3}}. The important point to remember here is to use the same {{ic|cryptdevice}} name you assigned when you initially unlocked your device. In this example, the device name is {{ic|cryptroot}}; customize yours accordingly:

'''LILO:''' Edit the Arch Linux section in {{ic|/etc/lilo.conf}} and include a line for the {{ic|append}} option, over the initrd, with the {{ic|root<nowiki>=</nowiki>/dev/sda3}} parameter. The {{ic|append}} section makes the same kernel line as in GRUB. Also, you can omit the {{ic|root}} option above the {{ic|image}} option. The section looks like this:

+

# Arch Linux lilo section

+

image = /vmlinuz-linux

+

# root = /dev/sda3

+

label = Arch

+

initrd = /initramfs-linux.img

+

append = "root=/dev/sda3"

+

read-only

+

+

If you want to use a USB flash drive with a keyfile, you have to append the {{ic|cryptkey}} option. See the corresponding section above.

Revision as of 11:05, 11 August 2013

I am from Germany. I have interests in security-related subjects and follow pages here on a variety of networking and encryption topics. The distro I have used most is Debian, interrupted by stints to Ubuntu. I have been using Arch since Mid 2011. Feel free to leave comments on the talk page here or send me an email via the wiki interface.

The most important thing in setting LVM on top of encryption is to configure the initramfs for running both the encrypt hook and the lvm2 hook (and those two before the filesystems hook). In the past, it was necessary to ensure the correct ordering of these hooks in /etc/mkinitcpio.conf but the order no longer matters with the current implementation of lvm2.

LUKS on LVM

To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means, in short, that you have to set up LVM first. Then follow this guide, but replace all occurrences of /dev/sdXy in the guide with its LVM counterpart. (E.g.: /dev/sda5 -> /dev/<volume group name>/home). This is used to setup partitions (inside the LVM) which can be unlocked separately or a mixture of encrypted and non-encrypted partitions.

For encrypted partitions inside an LVM, the LVM-hook has to run first, before the respective encrypted logical volumes can be unlocked. So for this add the encrypt hook in /etc/mkinitcpio.confafter the lvm2 hook, if you chose to set up encrypted partitions on top of LVM.

In between Arch Linux installation media release 2009.08 and 2012.07.15 LVM and dm_crypt had been supported by the installer out of the box.
This made it very easy to configure a system for LVM on dm-crypt or vice versa.
Actually the configuration is done exactly as without LVM: see the corresponding section above. It differs only in two aspects.

The partition and filesystem choice

Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by LVM.

For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:

The configuration stage

In /etc/mkinitcpio.conf add the encrypt hook before the lvm2 hook in the HOOKS array, if you set up LVM on top of the encrypted partition.

That is it for the LVM & dm_crypt specific part. The rest is done as usual.

The factual accuracy of this article or section is disputed.

Reason: The lvm2 hook activates the (encrypted) root volume group long before sysvinit (or systemd) can run from there. Letting sysvinit later run a second LVM activation in addition serves no purpose. Read LVM#Configure system. However this error is duplicated within the #Encrypting a LVM setup section. (Discuss in User talk:Indigo#)

In /etc/rc.conf set USELVM to "yes".

Applying this to a non-root partition

You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in /lib/initcpio/hooks/encrypt (the first one to your /dev/sd* partition, the second to the name you want to attribute). That should be enough.

The big advantage is you can have everything automated, while setting up /etc/crypttab with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of /etc/fstab (at least).

Of course, if the cryptsetup package gets upgraded, you will have to change this script again. However, this solution is to be preferred over hacking /etc/rc.sysinit or similar files. Unlike /etc/crypttab, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.

If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the /dev/mdX device in /lib/initcpio/hooks/encrypt is not enough; the encrypt hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the encrypt hook is run. You can solve this by putting the RAID array in /boot/grub/menu.lst, like

kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5

If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). GRUB can handle multiple array definitions just fine:

AIF Instructions

Reason: AIF (Arch Installation Framework; referenced below also as /arch/setup) does not exist anymore, GRUB Legacy is not available anymore (Discuss in User talk:Indigo#)

Prepare hard drive for AIF

Now that /dev/mapper/root and /dev/mapper/home are in place, we can enter the regular Arch setup script to install the system into the encrypted volumes.

# /arch/setup

Skip the Partitioning and Auto-Prepare steps and go straight to manual configuration.
Instead of choosing the hardware devices (/dev/sdaX) directly, you have to select the mapper devices created above.
Choose /dev/mapper/root for your root and /dev/mapper/home as /home partition respectively and format them with any filesystem you like.
The same is valid for a swap partition which is set up like the /home partition. Make sure you mount /dev/sda1 as the /boot partition, or else the installer will not properly set up the bootloader.

Select and Install packages

Select and install the packages as usual: the base package contains all required programs.

Exit Install

Now that the install is finished the only thing left to do is add entries to the /etc/crypttab file so you do not have to enter the passphrase for all encrypted partitions. This works only for non-root partitions e.g. /home, swap, etc.

You can also use a keyfile instead of a passphrase. If not already done, create a keyfile and add the key to the corresponding LUKS partition as described above.
Then add the following information to the /etc/crypttab file for automounting:

home /dev/sda5 /path/of/your/keyfile

If you used a USB device to store your keyfile, you should have something like this:

home /dev/sda5 /dev/sd*1/keyfile

Or if the keyfile was stored in the MBR, it should be like this:

home /dev/sda5 /dev/sd*:2048:2048

Note: When reading the keyfile from the MBR it should be /dev/sdb not /dev/sdb1 but if the key is in the filesystem it should still be /dev/sdb1.

After rebooting you should now be presented with the text

A password is required to access the root filesystem:

followed by a prompt for a LUKS password. Type it in and everything should boot.
Once you have logged in, have a look at your mounted partitions by typing mount. You should have /dev/mapper/root mounted at / and, if you set up a separate encrypted home partition, /dev/mapper/home mounted at /home. If you set up encrypted swap, swapon -s should have /dev/mapper/swap listed as your swap partition.

Note: Eventually the text prompting for the password is mixed up with other boot messages. So the boot process may seem frozen at first glance, but it is not, simply enter your password and press Template:Keypress.

GRUB Legacy

This article or section is out of date.

Reason: Like AIF in this section, GRUB Legacy and LILO are dropped. (Discuss in User talk:Indigo#)

GRUB Legacy: You have to make some small changes to the entries generated by the installer by replacing /dev/mapper/root with /dev/sda3. The important point to remember here is to use the same cryptdevice name you assigned when you initially unlocked your device. In this example, the device name is cryptroot; customize yours accordingly:

LILO

LILO: Edit the Arch Linux section in /etc/lilo.conf and include a line for the append option, over the initrd, with the root=/dev/sda3 parameter. The append section makes the same kernel line as in GRUB. Also, you can omit the root option above the image option. The section looks like this: